Full Report
2025-04-09 • NCSC UK • ASD, BND, Bundesamt für Verfassungsschutz, Canadian Centre for Cyber Security (CCCS), FBI, NCSC UK, New Zealand National Cyber Security Centre (NZ NCSC), NSA • apk.badbazaar Open article on Malpedia
Analysis Summary
# Best Practices: Digital Surveillance Mitigation for High-Risk Communities
## Overview
These practices are derived from guidance shared by the NCSC and its international partners (including ASD, BND, CCCS, FBI, NZ NCSC, and NSA) specifically aimed at mitigating risks associated with sophisticated digital surveillance targeting communities, organizations, or individuals deemed at high risk. The focus is on hardening digital boundaries and operational security (OpSec).
## Key Recommendations
### Immediate Actions (Triage & Hardening)
1. **Assume Compromise and Reset:** Immediately assume that any device potentially exposed to targeted surveillance (e.g., communication devices used during sensitive operations) may be compromised. Perform a full factory reset on these devices after securely backing up only essential, non-sensitive data via an uncompromised channel.
2. **Update All Software:** Ensure operating systems (OS), applications, and firmware across all communication devices (phones, laptops, tablets) are updated to the latest stable versions immediately to patch known vulnerabilities targeted by surveillance efforts.
3. **Review and Limit Application Permissions:** Conduct a comprehensive audit of all installed applications. Revoke unnecessary permissions (especially microphone, camera, location, and accessibility services) from all non-essential apps.
### Short-term Improvements (1-3 months)
1. **Implement Strong, Encrypted Communications:** Transition all sensitive communications to end-to-end encrypted (E2EE) messaging applications utilizing open-source, audited protocols (e.g., Signal). Ensure all participants are using the latest versions and have verification settings enabled.
2. **Isolate Sensitive Workflows:** Segregate devices based on function (e.g., dedicated "clean" devices for sensitive discussions, separate devices for general internet use). Never mix activities on the same device.
3. **Strengthen Authentication:** Mandate the use of strong, unique passphrases for all accounts and enable Multi-Factor Authentication (MFA) universally, prioritizing hardware tokens (like FIDO2 keys) or authenticator apps over SMS-based MFA.
4. **Review Email Security:** Implement Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) for organizational domains, if applicable, to prevent sender spoofing.
### Long-term Strategy (3+ months)
1. **Develop a Formal Digital Security Policy (OpSec):** Establish and mandate documented operational security procedures covering device lifecycle management, clean room setups, data transfer protocols, and incident response plans specifically tailored to targeted surveillance scenarios.
2. **Physical Security Integration:** Integrate digital security planning with physical security practices (e.g., "Faraday bags" for temporary signal blocking, strict controls over device charging locations).
3. **Regular Security Audits:** Schedule recurring professional penetration testing and digital forensics readiness exercises to proactively identify and close potential surveillance vectors.
4. **Invest in Security Training:** Conduct continuous, role-specific training covering phishing recognition, digital footprint minimization, metadata awareness, and secure workflow adoption.
## Implementation Guidance
### For Small Organizations
- **Focus on Basics:** Prioritize MFA enforcement, mandatory OS/Software patching schedules, and the adoption of a single, well-vetted E2EE platform for all internal communication.
- **Use Managed Solutions:** Utilize commercially available, security-focused cloud services that handle underlying infrastructure hardening, reducing the burden of manual configuration.
### For Medium Organizations
- **Establish Asset Inventory:** Create and maintain a comprehensive, real-time inventory of all hardware and software assets connected to the network.
- **Network Segmentation:** Implement basic network segmentation to separate guest, corporate, and sensitive research/communications networks, limiting lateral threat movement.
### For Large Enterprises
- **Deploy Endpoint Detection and Response (EDR):** Implement advanced EDR solutions across all endpoints capable of monitoring for low-level system anomalies indicative of targeted malware or remote access tools.
- **Zero Trust Architecture (ZTA):** Begin phased implementation of a Zero Trust model, moving away from perimeter-based defense and enforcing least-privilege access for every user and device attempting to access resources.
- **Implement Mobile Device Management (MDM):** Use MDM solutions to enforce security policies remotely, enforce encryption mandates on mobile devices, and enable remote wipe capabilities.
## Configuration Examples
*Note: Specific configurations are highly dependent on the platform, but the principles below should be applied.*
1. **Disabling Unnecessary Services (Principle):** On portable devices, disable Bluetooth, Wi-Fi, and GPS/Location Services when not actively required for mission-critical operations.
2. **Enforcing Strong Disk Encryption:** Ensure Full Disk Encryption (e.g., BitLocker or FileVault) is enabled on all laptops/desktops, configured for **pre-boot authentication (PBA)** using a complex passphrase, not just simple PINs.
## Compliance Alignment
While this guidance is focused on targeted threat mitigation rather than routine compliance, adherence supports the following frameworks:
- **NIST Cybersecurity Framework (CSF) v1.1/2.0:** Functions like *Identify* (Asset Management), *Protect* (Access Control, Data Security), and *Detect* (Continuous Monitoring).
- **ISO/IEC 27001/27002:** Specifically controls related to Access Control (A.9), Cryptography (A.10), and Secure Communications (A.13).
- **CIS Critical Security Controls (v8):** Controls 1 (Inventory), 3 (Data Protection), 4 (Secure Configuration), and 7 (Email & Web Browser Protections).
## Common Pitfalls to Avoid
- **Device Consolidation:** Using a single device for both highly sensitive encrypted communication and routine, non-secure internet browsing (e.g., social media, entertainment).
- **Ignoring Metadata:** Focusing solely on message content encryption while neglecting metadata leakage (time stamps, recipient lists, communication frequencies), which can be highly revealing.
- **Outdated Updates:** Trusting built-in OS security features while neglecting application-layer updates, as many targeted attacks exploit common application flaws (e.g., browsers, PDF readers).
- **Reliance on SMS MFA:** Using SMS-based Multi-Factor Authentication, which is susceptible to sophisticated SIM-swapping attacks.
## Resources
- **NCSC Guidance:** Refer directly to the NCSC UK's materials regarding secure communications and threat modeling.
- **Open-Source Crypto Tools:** Research audited, open-source tools for secure messaging and file exchange (e.g., Signal, PGP/GPG).
- **Threat Modeling Frameworks:** Utilize established frameworks like MITRE ATT&CK to understand potential adversarial techniques relevant to targeted surveillance.